Possible DNS Tunneling
Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
Sigma rule (View on GitHub)
1title: Possible DNS Tunneling
2id: 1ec4b281-aa65-46a2-bdae-5fd830ed914e
3status: unsupported
4description: Normally, DNS logs contain a limited amount of different dns queries for a single domain. This rule detects a high amount of queries for a single domain, which can be an indicator that DNS is used to transfer data.
5references:
6 - https://zeltser.com/c2-dns-tunneling/
7 - https://patrick-bareiss.com/detect-c2-traffic-over-dns-using-sigma/
8author: Patrick Bareiss
9date: 2019/04/07
10modified: 2023/03/24
11tags:
12 - attack.command_and_control
13 - attack.t1071.004
14 - attack.exfiltration
15 - attack.t1048.003
16logsource:
17 category: dns
18detection:
19 selection:
20 parent_domain: '*'
21 condition: selection | count(dns_query) by parent_domain > 1000
22falsepositives:
23 - Valid software, which uses dns for transferring data
24level: high
References
-
No matter how tightly you restrict outbound access from your network, you probably allow DNS queries to at least one server. Adversaries can abuse this "hole" in your firewall to exfiltrate data an...
Read More -
In this blog post, I will introduce another Sigma Use Case detecting Command & Control (C2) traffic over Domain Name System (DNS). DNS is used to translate human-friendly computer hostnames into IP addresses. The domain name www.test.com belongs to the top-level domain com. Each label to the left specifies a subdomain of the domain to […]
Read More
Related rules
- High DNS Requests Rate
- High DNS Requests Rate - Firewall
- High NULL Records Requests Rate
- High TXT Records Requests Rate
- Suspicious DNS Query with B64 Encoded String